[Discussion] Downtime and Server Compromise

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
mulkman
Registered User
Posts: 5
Joined: Sun Feb 08, 2009 5:12 pm

Re: [Discussion] Downtime and Server Compromise

Post by mulkman »

Maybe you should develop your own phplist type of software.

A quick google search I found this page below. I think the guy that hacked your site has posted how he completed the hack.



Removed *paul*
Last edited by Paul on Sun Feb 08, 2009 7:27 pm, edited 1 time in total.
Reason: Removed link, we know regarding it.

sevenalive
Registered User
Posts: 3
Joined: Sat Feb 07, 2009 6:39 am

Re: [Discussion] Downtime and Server Compromise

Post by sevenalive »

i am not sure why it's taking so long to bring the site back. This is why you should always keep a complete site backup that is current, and backup your databases every day (and for the forums, every few hours). Also if they own the dedicated servers running the site, have a current image of them as well. Then this type of thing would only cause a few hours or a day of downtime, not a week+.

Lesson to be learned: Keep your software and mods up to date and make backups often.

User avatar
ChrisRLG
Registered User
Posts: 160
Joined: Wed Oct 11, 2006 9:47 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ChrisRLG »

mulkman wrote:Yes

But how did the attacker know you were running phplist software. Im pretty much certain the page did not have "Powered by phplist" at bottom

:roll:

Although their is nothing you can do about 0day exploits.
Hackers have 'bots' that do phishing attempts against domains.

They 'know' the usual folder and files names containing in most server software packages and the make attempts to read each of those files/folders to see what responce they get. If they get a 'file found' responce from the server they finish off with an attack against any known vulnerabilities against that software.

If you are realy interested in this follow the link below in my signature to my live v3 forum - check out the publicity room where I have given talks on the subject of server security and 'malware'.

If you check your own domain error logs you will see those 'phishing' attempts - every day.
sevenalive wrote:i am not sure why it's taking so long to bring the site back. This is why you should always keep a complete site backup that is current, and backup your databases every day (and for the forums, every few hours). Also if they own the dedicated servers running the site, have a current image of them as well. Then this type of thing would only cause a few hours or a day of downtime, not a week+.

Lesson to be learned: Keep your software and mods up to date and make backups often.
If you read back over this topic, you will see that, yes, we do have copies and could easy have restored to them.

However the hacker had access for 2 weeks and it would mean losing 2 weeks of posts.

We do not think it in the best interest of the community to lose those.

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 367
Joined: Thu Sep 16, 2004 9:02 am
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by Paul »

Backups are made often, but as the hacked had access since Januari 14, we would need to restore a backup from before that date ;).
Instead we decided to use a later backup, and santinise that. But that just takes some time.

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: [Discussion] Downtime and Server Compromise

Post by EXreaction »

I am not too worried about email addresses being taken. Most people have decent spam filtering anyways (if you don't, get gmail and forward your mail to it).

I list my email address tons of places anyways. :P
sevenalive wrote:i am not sure why it's taking so long to bring the site back. This is why you should always keep a complete site backup that is current, and backup your databases every day (and for the forums, every few hours). Also if they own the dedicated servers running the site, have a current image of them as well. Then this type of thing would only cause a few hours or a day of downtime, not a week+.

Lesson to be learned: Keep your software and mods up to date and make backups often.
Sorry, but you really don't have a clue just how large the phpbb site was, do you? I wouldn't be surprised if the database was in the 10's of GB's or even larger. Backing that up daily would pretty much require a dedicated server, doubling their costs (besides bandwidth). Backing up hourly simply would not work (and would not help at all anyways). Backing it up that often would almost require an additional dedicated server for the database to prevent backups from putting too much load on the server and taking it down.

Could you go through 2 weeks worth of posts, attachments, users, on phpbb.com in a few hours or a day? They all must be gone through to make sure that the cracker did not alter anything else to leave backdoors, etc. What good would it do to put up the site again if the cracker left a backdoor?

The software WAS up to date, this was a 0-day exploit.

User avatar
3Di
Registered User
Posts: 786
Joined: Tue Nov 01, 2005 9:50 pm
Location: Milano (I) Frankfurt (D)
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by 3Di »

paulus wrote:Backups are made often, but as the hacked had access since Januari 14, we would need to restore a backup from before that date ;).
Instead we decided to use a later backup, and santinise that. But that just takes some time.
so you made a backup of what it was since you discovered the issue and blocked the boards?

do you confirm that no posts/etc will be lost after the sanitisation?

Thanks.
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
👨‍🏫 | Take a tour to | The Studio | 👨‍🏫

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: [Discussion] Downtime and Server Compromise

Post by EXreaction »

3Di wrote:
paulus wrote:Backups are made often, but as the hacked had access since Januari 14, we would need to restore a backup from before that date ;).
Instead we decided to use a later backup, and santinise that. But that just takes some time.
so you made a backup of what it was since you discovered the issue and blocked the boards?

do you confirm that no posts/etc will be lost after the sanitisation?

Thanks.
Of course they would have made a backup then. ;)

Posts shouldn't be an issue, unless unescaped HTML was inserted into them, which should be easy to check using a simple script.

rockeiro
Registered User
Posts: 4
Joined: Wed Feb 04, 2009 7:57 pm

Re: [Discussion] Downtime and Server Compromise

Post by rockeiro »

I've got two forums running and have more or less eliminated the current rash of registrations by changing my captcha x-axis to 14 and my y-axis to 6. Give that a try everyone.

ToonArmy
Registered User
Posts: 335
Joined: Fri Mar 26, 2004 7:31 pm
Location: Bristol, UK
Contact:

Re: [Discussion] Downtime and Server Compromise

Post by ToonArmy »

EXreaction wrote:Posts shouldn't be an issue, unless unescaped HTML was inserted into them, which should be easy to check using a simple script.
Actually a certain amount of HTML is stored in the posts table un-escaped ;)
3Di wrote:do you confirm that no posts/etc will be lost after the sanitisation?
At most a few hours have been lost, I'm not 100% sure though.
rockeiro wrote:I've got two forums running and have more or less eliminated the current rash of registrations by changing my captcha x-axis to 14 and my y-axis to 6. Give that a try everyone.
Bit off topic for this topic ;)
Chris SmithBlogXMOOhlohArea51WikiNo support via PM/IM
Image

cfs3.ace
Registered User
Posts: 1
Joined: Sun Feb 08, 2009 8:59 pm

Re: [Discussion] Downtime and Server Compromise

Post by cfs3.ace »

Has there been any update as to when the site will be back up? I was just going to work on a mod... Then I tried to access the website. Oh well. Keep up the good work!

Post Reply